Every security practitioner should be aware of the overwhelming advantages of logging and perusing logs for discovering system intrusions. But logging and log management comes with its own set of difficulties. This book aims to help those who opt for it to solve these problems.
About the authors
Dr. Anton Chuvakin is a Research Director at Gartner's Gartner for Technical Professionals Security and Risk Management Strategies team, and an expert in log management, SIEM and PCI DSS compliance.
Kevin Schmidt is a senior manager at Dell SecureWorks and is responsible for the design and development of a major part of the company's SIEM platform. This includes data acquisition, correlation, and analysis of log data.
Inside the book
The book starts by explaining what logs are, why they are important, basic concepts regarding logging, log storage, and data sources, then follows with a chapter / case study of syslog-ng, and one on covert logging.
What follows is a section dedicated to log analysis: how to do it, what to look for when you're not looking and when you are looking for something in particular, how to filter, normalize and correlate log data in search for pattern (and some of the common patterns you should be searching for), and how to report on and visualize the found data.
A very helpful chapter addresses the many mistakes (past and current) that organizations make when they decide to log data, and the another one provides a good overview of the tools (both commercial and open source) that are used to collect and analyze logs.
The remainder of the tome addresses compliance issues (especially those regarding cloud logging), instructs programmers on who to improve the usefulness of log messages the logging software provides, a great chapter on attacks that can be aimed at logging systems, and one on how to plan a log analysis system.
When taking all this into consideration, it's obvious that this book can be helpful not just to sysadmins, but to engineers and managers as well.
After the occasional dryness of the text addressing the theory behind logs and logging, the book turns into an enjoyable read once the authors begin explaining the practice. There are some mistakes here and there, but nothing that would affect its overall quality.
In over 400 pages, it covers everything that random interested parties may want to know, and most of what sysadmins should know about the subject.